Projects
Mega:23.03
libldb
_service:tar_scm:backport-0010-CVE-2023-0614.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:backport-0010-CVE-2023-0614.patch of Package libldb
From 8e84201f508b2893b6ec9383c656cccb08b148ef Mon Sep 17 00:00:00 2001 From: Joseph Sutton <josephsutton@catalyst.net.nz> Date: Mon, 27 Feb 2023 10:31:52 +1300 Subject: [PATCH 14/34] CVE-2023-0614 ldb: Make use of ldb_filter_attrs_in_place() Change all uses of ldb_kv_filter_attrs() to use ldb_filter_attrs_in_place() instead. This function does less work than its predecessor, and no longer requires the allocation of a second ldb message. Some of the work is able to be split out into separate functions that each accomplish a single task, with a purpose to make the code clearer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Conflict: NA Reference: https://attachments.samba.org/attachment.cgi?id=17821 --- ldb_key_value/ldb_kv.h | 6 +- ldb_key_value/ldb_kv_index.c | 27 +++++---- ldb_key_value/ldb_kv_search.c | 86 ++++++++++++++------------- 4 files changed, 66 insertions(+), 65 deletions(-) diff --git a/ldb_key_value/ldb_kv.h b/ldb_key_value/ldb_kv.h index ac474b04b4c..7d5a40e76e9 100644 --- a/ldb_key_value/ldb_kv.h +++ b/ldb_key_value/ldb_kv.h @@ -301,10 +301,8 @@ int ldb_kv_search_key(struct ldb_module *module, const struct ldb_val ldb_key, struct ldb_message *msg, unsigned int unpack_flags); -int ldb_kv_filter_attrs(struct ldb_context *ldb, - const struct ldb_message *msg, - const char *const *attrs, - struct ldb_message *filtered_msg); +int ldb_kv_filter_attrs_in_place(struct ldb_message *msg, + const char *const *attrs); int ldb_kv_search(struct ldb_kv_context *ctx); /* diff --git a/ldb_key_value/ldb_kv_index.c b/ldb_key_value/ldb_kv_index.c index d70e5f619ef..203266ea8c9 100644 --- a/ldb_key_value/ldb_kv_index.c +++ b/ldb_key_value/ldb_kv_index.c @@ -2264,7 +2264,6 @@ static int ldb_kv_index_filter(struct ldb_kv_private *ldb_kv, { struct ldb_context *ldb = ldb_module_get_ctx(ac->module); struct ldb_message *msg; - struct ldb_message *filtered_msg; unsigned int i; unsigned int num_keys = 0; uint8_t previous_guid_key[LDB_KV_GUID_KEY_SIZE] = {0}; @@ -2456,27 +2455,31 @@ static int ldb_kv_index_filter(struct ldb_kv_private *ldb_kv, continue; } - filtered_msg = ldb_msg_new(ac); - if (filtered_msg == NULL) { - TALLOC_FREE(keys); - TALLOC_FREE(msg); + ret = ldb_msg_add_distinguished_name(msg); + if (ret == -1) { + talloc_free(msg); return LDB_ERR_OPERATIONS_ERROR; } - filtered_msg->dn = talloc_steal(filtered_msg, msg->dn); - /* filter the attributes that the user wants */ - ret = ldb_kv_filter_attrs(ldb, msg, ac->attrs, filtered_msg); + ret = ldb_kv_filter_attrs_in_place(msg, ac->attrs); + if (ret != LDB_SUCCESS) { + talloc_free(keys); + talloc_free(msg); + return LDB_ERR_OPERATIONS_ERROR; + } - talloc_free(msg); + ldb_msg_shrink_to_fit(msg); - if (ret == -1) { - TALLOC_FREE(filtered_msg); + /* Ensure the message elements are all talloc'd. */ + ret = ldb_msg_elements_take_ownership(msg); + if (ret != LDB_SUCCESS) { talloc_free(keys); + talloc_free(msg); return LDB_ERR_OPERATIONS_ERROR; } - ret = ldb_module_send_entry(ac->req, filtered_msg, NULL); + ret = ldb_module_send_entry(ac->req, msg, NULL); if (ret != LDB_SUCCESS) { /* Regardless of success or failure, the msg * is the callbacks responsiblity, and should diff --git a/ldb_key_value/ldb_kv_search.c b/ldb_key_value/ldb_kv_search.c index 46031b99c16..f3333510eab 100644 --- a/ldb_key_value/ldb_kv_search.c +++ b/ldb_key_value/ldb_kv_search.c @@ -292,15 +292,13 @@ int ldb_kv_search_dn1(struct ldb_module *module, /* * filter the specified list of attributes from msg, - * adding requested attributes, and perhaps all for *, - * but not the DN to filtered_msg. + * adding requested attributes, and perhaps all for *. + * The DN will not be added if it is missing. */ -int ldb_kv_filter_attrs(struct ldb_context *ldb, - const struct ldb_message *msg, - const char *const *attrs, - struct ldb_message *filtered_msg) +int ldb_kv_filter_attrs_in_place(struct ldb_message *msg, + const char *const *attrs) { - return ldb_filter_attrs(ldb, msg, attrs, filtered_msg); + return ldb_filter_attrs_in_place(msg, attrs); } /* @@ -313,7 +311,7 @@ static int search_func(_UNUSED_ struct ldb_kv_private *ldb_kv, { struct ldb_context *ldb; struct ldb_kv_context *ac; - struct ldb_message *msg, *filtered_msg; + struct ldb_message *msg; struct timeval now; int ret, timeval_cmp; bool matched; @@ -410,25 +408,31 @@ static int search_func(_UNUSED_ struct ldb_kv_private *ldb_kv, return 0; } - filtered_msg = ldb_msg_new(ac); - if (filtered_msg == NULL) { - TALLOC_FREE(msg); + ret = ldb_msg_add_distinguished_name(msg); + if (ret == -1) { + talloc_free(msg); return LDB_ERR_OPERATIONS_ERROR; } - filtered_msg->dn = talloc_steal(filtered_msg, msg->dn); - /* filter the attributes that the user wants */ - ret = ldb_kv_filter_attrs(ldb, msg, ac->attrs, filtered_msg); - talloc_free(msg); + ret = ldb_kv_filter_attrs_in_place(msg, ac->attrs); + if (ret != LDB_SUCCESS) { + talloc_free(msg); + ac->error = LDB_ERR_OPERATIONS_ERROR; + return -1; + } - if (ret == -1) { - TALLOC_FREE(filtered_msg); + ldb_msg_shrink_to_fit(msg); + + /* Ensure the message elements are all talloc'd. */ + ret = ldb_msg_elements_take_ownership(msg); + if (ret != LDB_SUCCESS) { + talloc_free(msg); ac->error = LDB_ERR_OPERATIONS_ERROR; return -1; } - ret = ldb_module_send_entry(ac->req, filtered_msg, NULL); + ret = ldb_module_send_entry(ac->req, msg, NULL); if (ret != LDB_SUCCESS) { ac->request_terminated = true; /* the callback failed, abort the operation */ @@ -491,7 +495,7 @@ static int ldb_kv_search_full(struct ldb_kv_context *ctx) static int ldb_kv_search_and_return_base(struct ldb_kv_private *ldb_kv, struct ldb_kv_context *ctx) { - struct ldb_message *msg, *filtered_msg; + struct ldb_message *msg; struct ldb_context *ldb = ldb_module_get_ctx(ctx->module); const char *dn_linearized; const char *msg_dn_linearized; @@ -549,12 +553,6 @@ static int ldb_kv_search_and_return_base(struct ldb_kv_private *ldb_kv, dn_linearized = ldb_dn_get_linearized(ctx->base); msg_dn_linearized = ldb_dn_get_linearized(msg->dn); - filtered_msg = ldb_msg_new(ctx); - if (filtered_msg == NULL) { - talloc_free(msg); - return LDB_ERR_OPERATIONS_ERROR; - } - if (strcmp(dn_linearized, msg_dn_linearized) == 0) { /* * If the DN is exactly the same string, then @@ -562,36 +560,42 @@ static int ldb_kv_search_and_return_base(struct ldb_kv_private *ldb_kv, * returned result, as it has already been * casefolded */ - filtered_msg->dn = ldb_dn_copy(filtered_msg, ctx->base); + struct ldb_dn *dn = ldb_dn_copy(msg, ctx->base); + if (dn != NULL) { + msg->dn = dn; + } } - /* - * If the ldb_dn_copy() failed, or if we did not choose that - * optimisation (filtered_msg is zeroed at allocation), - * steal the one from the unpack - */ - if (filtered_msg->dn == NULL) { - filtered_msg->dn = talloc_steal(filtered_msg, msg->dn); + ret = ldb_msg_add_distinguished_name(msg); + if (ret == -1) { + talloc_free(msg); + return LDB_ERR_OPERATIONS_ERROR; } /* * filter the attributes that the user wants. */ - ret = ldb_kv_filter_attrs(ldb, msg, ctx->attrs, filtered_msg); - if (ret == -1) { + ret = ldb_kv_filter_attrs_in_place(msg, ctx->attrs); + if (ret != LDB_SUCCESS) { + talloc_free(msg); + return LDB_ERR_OPERATIONS_ERROR; + } + + ldb_msg_shrink_to_fit(msg); + + /* Ensure the message elements are all talloc'd. */ + ret = ldb_msg_elements_take_ownership(msg); + if (ret != LDB_SUCCESS) { talloc_free(msg); - filtered_msg = NULL; return LDB_ERR_OPERATIONS_ERROR; } /* - * Remove any extended components possibly copied in from - * msg->dn, we just want the casefold components + * Remove any extended components, we just want the casefold components */ - ldb_dn_remove_extended_components(filtered_msg->dn); - talloc_free(msg); + ldb_dn_remove_extended_components(msg->dn); - ret = ldb_module_send_entry(ctx->req, filtered_msg, NULL); + ret = ldb_module_send_entry(ctx->req, msg, NULL); if (ret != LDB_SUCCESS) { /* Regardless of success or failure, the msg * is the callbacks responsiblity, and should -- 2.25.1
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2